Mark Villinski

@markvillinski

TOP 10 TIPS FOR EDUCATING

EMPLOYEES ABOUT CYBERSECURITY

Why do we have to educate employees about

cybersecurity?

2014 Corporate Threats Survey

http://media.kaspersky.com/en/IT_Security_Risks_Survey_2014_Global_report.pdf?_ga=1.57626858.1152823312.1404311525

• 94% of business’s suffered one cyber attack in the last 12 months

• Nearly 27% of companies lost confidential data as the result of an internal security incident

• Average cost for Accidental Data Leaks – $39K for SMB’s – $884K for Enterprise

QUICK POLL

PERCEPTION VS. REALITY

B2B International and Kaspersky Lab, “IT Security Threats and Data Breaches,” October, 2014.

REALITY TODAY

How bad is it out there?

Malware

1994

One new virus every hour

2006

One new virus every minute

2011

One new virus every second

Or 70.000 samples/day

Kaspersky Lab is currently processing 325,000 unique malware samples EVERY DAY

The Basic Theory for Staying Secure

Simple math for advanced protection… In

vest

men

t in

Se

curi

ty

Chance of getting infected

The chance of getting infected drops exponentially while the cost of an attack increases linearly

Tip #1: Regularly talk to employees about

cybersecurity.

Explain the potential impact a cyberincident may have on company operation

Annual review and signing of a “I have read and understood company IT policies” is not enough!

Any one can be a target

Tip #2: Remember that top management and IT staff

are employees too!

Top managers are often targeted because: They have access to more information IT bends the rules for them The damage/payoff can be much bigger!

IT folks are vulnerable, too Unlimited power over the network!

Tip #2: Remember that top management and IT staff

are employees too!

Tip #3: Explain to the employees that while you make

the best effort to secure company infrastructure, a

system is only as secure as the weakest link

You don’t want them to just comply, you want them to cooperate

You can’t create a policy sophisticated enough to cover all possible vectors of attack

You can’t totally dehumanize humans. Humans have weaknesses and make mistakes.

Tip #4: Have regular focused sessions with

employees to explore different types of cyberattacks

Consider different formats (lunch and learn?)

Make it useful Most of them have PCs at home and relatives who

also need help

Make it relevant and responsive to real-world examples Notice how much more often these topics hit the

nightly news Those topics are big on social networks!

Malware-What is it?

Malware, short for malicious software, is software (or script or code) designed to disrupt computer operation, gather sensitive information, or gain unauthorized access to computer systems.

Characteristics:

– Single instance signature to evade anti-virus

– Activates programmatically

– Connects to a Command & Control Center

– Keylogger, Ransomware, Remote Access Tool (RAT), and Man in

Browser

Once a system is owned, it can’t be restored.

• Never click a link in an email • Never open unexpected attachments • Never provide information, no matter how

innocuous it may seem, to unsolicited phone callers, visitors or email requests

• Never agree to an unsolicited remote control session (such as WebEx, GoToMeeting, LogMeIn)

• Your best defense: “Can I call you back?”

Phishing Prevention-The 100% rules!

Phishing Prevention-The 100% rules!

July 2012 – Yahoo

Passwords Hacked

435,000 usernames and

passwords hacked.

Particularly troubling? The

login credentials are in

plaintext, not even encrypted.

TOP TEN PASSWORDS FROM

THE YAHOO HACK

1) 123456 (38%)

2) password (18%)

3) welcome (10%)

4) ninja (8%)

5) abc123 (6%)

6) 123456789 (5%)

7) 12345678 (5%)

8) sunshine (5%)

9) princess = (5%)

10) qwerty = (4%)

Ramsomware

• More than 40% of CryptoLocker victims agreed to pay

• A Dell SecureWorks report estimates that ransomware rakes in $30 million every 100 days

• Expanding victim base means unlimited financial potential

Ramsomware

RSA: Targeted Attack Case Study

▶ On March 17th 2011, RSA announced that it was hacked

▶ During the 2011 Kaspersky Security Analyst Summit, Uri Rivner from RSA talked about how it happened:

▶ Two employees received an e-mail which contained a spreadsheet attachment labeled “2011 Recruitment Plan”.

▶ The e-mail has been marked as SPAM and put into the spam folder

▶ One of the employees opened it…and released a zero-day Adobe Flash vulnerability.

RSA E-mail & Attachment

http://www.f-secure.com/weblog/archives/00002226.html

Phishing at ABC University

How did this happen?

22

• Trickery. A spear-phishing attack.

People were tricked by a believable e-mail message

into giving their passwords to the bad guys

• Spear-phishers and their tactics

Message crafted for ABC University

Sent to a small number of selected people

Strike on weekends & holidays, when you are less protected

• Goals

To collect information that will let them steal money:

Passwords, social security numbers,

bank account or credit card numbers

23

24

25

26

Not Encrypted: no https

Not going to real ABC University login site

27

28

Impact to people and abc university • The University was able to recover a good portion of the money

• Anyone can fall for a clever phishing scam

• The University did replace paychecks

This would be very challenging on a large scale

29

Lessons learned • Understand how to know if you are at the

real University web login, or a clever fake

• Learn how to analyze email messages to detect ones that are malicious

• Find out how to protect yourself and your devices from cyber threats

• Know common scams

Tip #5: Pay special attention to social engineering

A lot of cyberincidents start with a phone conversation with someone who poses as a co-worker and builds his understanding of company internal structure and operations by asking innocent questions

A cybercriminal exploiting social weaknesses almost never looks like one

A Dangerous Weapon of Cybercrime

Piggybacking?

The Importance of Securing Computers/Workstations

+ <L>

Windows: Mac:

• Enable screensaver • Check “Require

password to quit screensaver” check box

Tip #6: Train your employees to recognize an attack

Communicate clear cut step-by-step instructions on what to do if employee believes there’s a cyber incident happening

If you are not trained, you will get lost when the “show” starts

Training should involve things like:

Unplug your machine from the network (physically)

Notify your administrator

Remember that any and every key stroke can be sent to cyber criminals by a key logger

If you can’t find your mobile device – immediately notify your administrator

Emergency Number - if you can’t find your IT emergency number in under 20 seconds, you are doing it wrong/

…and so on

Tip #7: Never disapprove or make fun of an employee

who raises a red flag

…even if it is a false alarm – this will discourage employees from setting off alarm when time of cyber attack come

I mean NEVER

If false alarms come often, improve training approach

Tip #8: In case of an incident give your employees a

heads up

Even if an incident has happened already, improper handling may (significantly) increase impact

Issue an instruction on how to speak to public/press about the incident

Have a plan in place BEFORE anything happens

Get insurance for cyber-incidents

Tip #9: Test knowledge

Regularly

Make it relevant – remember they live digital lives. It matters!

Make it fun. Or rewarding. Or fun and rewarding.

Phish Self-Testing (Too Successful 12/2013)

Phish Self-Testing (Zero Success 5/2014)

Phish Self-Testing eSlap

Are you cyber savvy

https://blog.kaspersky.com/cyber-savvy-quiz/

Tip #10: Listen to feedback

If you force employees to change passwords every week be prepared they will write them down and post them in their work place

If access to something they need for work is too complicated, they will use personal email, USB sticks, fellow employees to bypass the restrictions

If something out of balance, this will trigger unsafe behavior. Listening to feedback is learning the root cause of that

Systems Management & Actionable Patching

HW and SW inventory

Multiple vulnerability databases

VULNERABILITY

SCANNING

Install applications

Update applications

Troubleshoot

REMOTE TOOLS

Track usage

Manage renewals

Manage license compliance

LICENCE MANAGEMENT

Guest policy management

Guest portal

NETWORK ADMISSION

CONTROL (NAC) Automated prioritization

Reboot options

ADVANCED PATCHING

Create images

Store and update

Deploy

SYSTEM PROVISIONING

Whitelisting & Application Control

DEVICE CONTROL

WEB CONTROL

APPLICATION CONTROL

WITH DYNAMIC WHITELISTING

Encryption & Data Protection

Inside the Network Outside the Network

If cybercriminals seize control of the system and penetrate the

corporate network, they may try to exfiltrate sensitive data such as

configuration files, private keys and source code.

However, even if the criminals manage to download something, they will

not be able to read the content of the encrypted files.

Why Kaspersky?

OUR LEADERSHIP IS PROVEN BY INDEPENDENT TESTS

49

Questions & Answers

Mark Villinski

Mark.villinski@kaspersky.com

@markvillinski